Cyber Security and Trade Protectionism

Naveen Garg

Abstract

The world is becoming increasingly connected and businesses, governments, defence forces, and utilities all rely heavily on networked systems. Although the benefits of a networked economy are indisputably visible as economic growth, the real and perceived threat to security should not be ignored. The risk arising from networked systems and economy, though not new, is still vaguely defined. In the absence of agreed upon definitions and common rules to tackle the issue, different countries confront this issue as in ways suited to their own interests. In some cases, action by governments and authorities ultimately result in trade protectionism, intentionally or unintentionally. As a result, there has been a growing demand for the issue of cyber security to occupy a more prominent position on the agenda of multilateral forums like G20. Since only a limited a number of world powers are addressing the threat to cyber security so far, forums like the G20 can be effective platforms to give smaller countries a say and to allow for coordination among the other players.

Introduction

Security is one of the most sensitive policy fields across the world and every sovereign state probably dreads its compromise. The slightest indication of a breach in security can increase tension between countries and have complex consequences, given the multiple dimensions of trade policy, including political, social and commercial factors. States have always tried to protect and expand their trade interests either defensively or offensively. Trade can cause issues, over which ways may even be fought, and some credit it as the root cause of colonialism as well.

In the last forty to fifty years, technology has completely changed the way business is done across the world. It not only spawned new businesses but also changed the way traditional businesses operate. For any company, regardless of size, technology is one of the most important factors of industry. Typically, organizations are expected to use technology to innovate, grow, and increase efficiency; however, technology is being used increasingly as an offensive weapon in the corporate and political world. This problem becomes even more severe when we talk about networked technology systems or the cyber world. In order to protect the assets of economic and political interests, countries are taking tough measures against real and potential cyber-attacks.

The Economist identifies trade protectionism as one of the major factors that led to economic disaster of the 1930s. When the more recent financial crisis hit the globe, world leaders tried not to make the same mistakes from historical financial crises. However, some industry and policy experts are arguing that practices related to cyber security, though necessary to some extent, are giving rise to trade protectionism. Based on a report from WTO also trade barriers have been creeping back up in the recent years (The Economist 2012).

Free trade has been a major item on the agenda for the G20, a group of nations representing 85% of the world’s GDP. The member countries often lock horns with each other over trade protectionism issues. Recently some major countries have been accused of breaching the network security of other countries’ corporations and other systemically important establishments. In such conflicts, one of the major problems faced is that the definitions and policies related to the cyber world are not clear. Increasingly, it has been demanded that the world leaders start paying more attention to cyber security issues, and that multinational forums put these issues on their high priority agenda. Additionally, as the major economic powers in the world are getting serious about cyber threats to their trade and sovereignty, a forum like G20 has to take center stage in order to represent the interests of its broad-based membership.

The cyber security threat

The security threat related to technology is much more than just making a computer dysfunctional through a virus or other types of malware. An attack can take the form of a network shutdown, increased bogus traffic to slow down the network, taking control of the networks, stealing classified information, or targeting physical assets such as power plants or air traffic control by interfering with technology systems. Some of the common targets of cyber-attacks are governments, defence systems and large corporations. For instance, hacker attacks have been reported within a wide range of industries, including banks (TD Bank and Wells Fargo), technology companies (Microsoft, Apple and Facebook) and media companies (WSJ and NY Times) etc. have been attacked by hackers (Hawes 2013). According to a U.S. Government Accountability Office report, there has been a 782% increase in the number of reported security breaches of federal agencies between 2006 and 2012 (US Government Accountability Office 2013).

Although the threat to cyber security is a reality for most companies and government agencies, the term “cyber security” is vaguely defined and could mean different things in different contexts. This threat is no longer a new concept, but the definitions, laws and rules are not advancing at the same pace as the seriousness and potential impact of these attacks. There are some particular challenges with regards to cyber-attacks. First, anybody sitting in the remotest corner of the world can engage in such activities without being physically present at the crime scene. Second, individuals or organizations with limited resources can still cause serious damage. Lastly, catching the perpetrator of an attack is a much more difficult task when the medium through which the crime is committed is the internet. In the context of this paper, another important aspect is establishing the real motivation behind the attack. Distinguishing whether it is a politically motivated action or a malicious business tactic can be really challenging.

Cyber security as a corporate defense

Today almost all the big companies operate in a networked world. There is always a risk that any critical disruption in network connectivity or compromise of network security can jeopardize a company’s operations. For instance, sometimes authentication information of a company’s network users is stolen and made public; other times trade secrets are compromised and sold to competitors. Corporations heavily invest in securing their networks from potential threats and this practice is the source of tens of billions of dollars’ worth of network security industry across the world. No matter how much effort and resources industries invest in protecting their technology assets, the threat seems to be always increasing.

In the recent times, large corporations and governments have become much more vocal and open about the threats that they face every day from malicious sources. In February 2013, the White House issued an executive order for improving the cyber security of critical infrastructure of the country (The White House 2013). In this executive order, cyber security issues were identified as a challenge to both national and economic security. The order intended to set up a framework to allow intelligence sharing between the government and privately owned critical national infrastructure companies such defence contractors, utility companies and the banks. However, other private corporations have been excluded from this mandate for now and many details related to this order also remain to be clarified.

Through its Internet Industry Association, Australia has also taken a firm step in order to form a government and private sector partnership to tackle cyber security related issues. The association is now working with similar bodies in other countries. In an interview with Reuters, Peter Coroneos, cofounder of the International Internet Industry Association and the former CEO of the Australian Internet Industry Association, highlighted that simultaneous action has to be taken in multiple jurisdictions in order to tackle cyber security issues effectively (Bendeich 2011).

Cyber security as a trade protectionism tool

It is interesting to consider which stakeholders have the ultimate responsibility of protecting national and private assets from attack. This issue becomes even more complicated when assets of national interests are owned and operated by private corporations. It is well established that governmental and defence assets ought to be protected by the governments, but what about guarding private organizations? Do individual private organizations have enough resources, information and expertise? If governments get involved in protecting private companies, where is the line drawn from the trade protectionism perspective? This issue becomes even more complicated as the rules and definitions are not well defined. Addressing cyber security issues by governments could be considered a positive form of trade protectionism. While traditional trade protectionism intends to provide undue advantage to a country’s domestic companies, protection from cyber-crime intends to avoid undue advantage gained by the outsiders.

The real or perceived threats related to cyber security are giving rise to intentional and unintentional trade protectionism. For instance, vulnerabilities within network systems can be introduced while manufacturing the technology equipment. Trade barriers, such as the random checking of goods at the port of entry or the prohibition of certain goods from certain suppliers, might take place (Scissors 2011). For many years, telecom equipment manufacturers have complained that they have been victims of trade protectionism in the name of national security. Both developed and developing countries alike have been involved in such cases. In other cases, internet companies have been asked to share their users’ private information with government authorities and as a result some of them had to pull out of certain markets while the local players continued to function by agreeing to government terms.

Derek Scissors (2011) argues that trade policy to protect from cyber-attacks cannot be held hostage by protectionism just because cyber security is ill-defined. This certainly calls for more coordinated efforts by the policymakers to not only define the threat to security but also to determine the appropriate responses by the authorities when a particular type of threat is demonstrated (Scissors 2011). In this discussion, the interests of smaller countries cannot be overlooked. If their governments and organizations are not capable or are unwilling to engage in these activities to protect their product, and it is excluded from certain jurisdictions, do we really have a competitive marketplace anymore? Considering this, we believe that the policy development should be much more aggressive with regards to cyber security than it is today. In the same way that policy development helped in laying the ground rules of international trade in the post-world-war era, it is important that the new economic reality of the world be understood by the policymakers.

What about the smaller players?

There is already some progress with regards to cyber security policy making in small pockets around the world; however, the industry has been pushing for more coordinated efforts at multilateral level. It has been demanded that the world leaders should consider putting cyber security on the international agenda at forums such as the G20.

Considering the fact that promoting financial regulations that reduce risks and modernizing international financial architecture are already on the G20’s agenda, the issue of cyber security seems to be a good fit. In fact in 2010, South Korea tried to put cyber security on the G20’s agenda and advocated the creation of an international cybercrime organization (Tong-hyung 2010). Putting cyber security on the G20’s agenda will push those nations that are slow-moving or unwilling to take a stand against hacking. This is particularly important from the perspective of less powerful nations. The major economies of the world control the internet and technology business. They have the expertise, resources, and authority to dictate the rules. In this connected world, every party including small and less powerful economies should have a say in the policy matters affecting their sovereignty and economic wellbeing.

The Economist Intelligence Unit has developed The Cyber Power Index which measures the success of digital adoption and cyber security, and the degree to which the economic and regulatory environment in G20 nations promotes cyber security within a nation (Booz Allen 2012). A benchmarking study of 19 out of the world’s 20 leading economies has found that only the United Kingdom and the United States have the resources to withstand cyber-attacks and to deploy digital infrastructure necessary for a productive and secure economy (Booz Allen 2012). The study has also highlighted that some of the major economies have not even taken any basic steps to combat potential threats from cyber intrusion. In particular, developing nations are lagging far behind their developed peers in terms of legal and regulatory frameworks.

Conclusion
It is common to draw parallels between trade and war. As defence technology changed, the rules of war also changed. Similarly, technology has changed the way business is done. An important element of business technology is the interconnected systems that allow large corporations to operate more efficiently and store their critical business information. The downside of networked businesses is that security can be compromised and competitors can get unauthorized access to trade secrets or even disrupt operations. Governments and businesses have become much more serious about this threat in recent times.

The challenge is that the real nature and impact of cyber security threats is not well defined. In recent times some experts have raised concerns that trade protectionism is taking place in the form of cyber security, ostensibly to protect assets of national interest. As smaller countries don’t have the expertise, resources, and authority to dictate the rules of this game, the responsibility to protect their interests must be taken up by multilateral forums like G20, which should pursue this agenda more actively and aggressively.

US Government Accountability Office. 2013. Cyber Security: National Strategy, Roles, and Responsibilities Need to be Better Defined and more Effectively Implemented. February 14.http://www.gao.gov/products/GAO-13-187.